System and method for real-time reporting of anomalous internet protocol attacks

ABSTRACT

A system and a method for detecting anomalous attacks in Internet network flow operate by counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count; computing a running average of the number of messages that are detected as anomalous attacks; and comparing the count to the running average to provide an anomalous attack alarm if the count is greater than a multiple of the running average. The attacks can include at least one of spoofing attacks or denial of service attacks. A computer readable storage medium stores instructions of a computer program, which when executed by a computer system, results in performance of steps of the method.

CROSS-REFERENCED APPLICATION

This application claims priority from and benefit of provisional patentapplication Ser. No. 61/659,692, filed on Jun. 14, 2012, which isincorporated herein by reference, in its entirety, for all purposes.

BACKGROUND OF THE DISCLOSURE

1. Field of the Disclosure

The present disclosure generally relates to the detection of spoofingand denial of service (DoS) attacks on networks. More particularly, thedisclosure relates to reliably determining whether an attack isoccurring or has occurred.

2. Description of the Related Art

A significant problem in Internet security is detecting network attacksthat use source-spoofed Internet Protocol (IP) traffic. The purpose ofdetecting these attacks is to give a network operator warning thatdefensive actions should be taken and that hosts on the network may becompromised. Others have tried to solve the problem of detecting spoofedpackets by different means and have built or proposed filters fordropping packets that are determined to be spoofed.

Some approaches to dealing with this problem are discussed in M.Nagaratna, V. K. Prasad and S. T. Kumar, “Detecting and PreventingIP-spoofed DDoS Attacks by Encrypted Marking Based Detection andFiltering (EMDAF),” in International Conference on Advances in RecentTechnologies in Communication and Computing, Kottayam, Kerala, 2009.Other approaches are discussed in K. Levitt and S. Templeton, “DetectingSpoofed Packets,” in Proceedings of The Third DARPA InformationSurvivability Conference and Exposition, Washington, D.C. USA, 2003.Further approaches are discussed in X. Yang, “A DoS-limiting NetworkArchitecture,” in ACM SIGCOMM, Philadelphia, Pa. USA, 2005.

Conventional techniques do not provide a system or method for monitoringtraffic to reliably determine when an attack occurs so as to alert theoperator of the network or sub-network so that defensive measures can beinitiated. There is a need for such a system.

SUMMARY OF THE DISCLOSURE

Prior solutions provide the tools to detect and filter individualpackets, but do not determine the level at which the quantity of spoofedIP packets constitutes an attack that should be reported to networkadministrators. This is important in the context of large InternetService Provider (ISP) monitoring since there is always a low level oftraffic that appears spoofed (i.e. either because it is spoofed or dueto false positives in the spoof-detection algorithm). Reporting all ofthis traffic to an operator would cause too many alarms and would hinderthe operator's response.

While the prior solutions typically provide methods of detecting whethera given packet has a spoofed source address, the present disclosure usesthose methods to provide alerts to the network operator that a too-largenumber of such packets have been observed for a given destinationsubnet. Thus, this disclosure is directed to the operational benefit ofusing the results of detection, not the detection itself.

The present disclosure couples anomalous traffic detection techniquesgenerally, and IP spoof-detection software with a self-adjusting,real-time filtering anomaly detector to detect attacks and to overcomethe deficiencies of the prior art.

The disclosure is directed to a system for monitoring Internet traffic,comprising a first apparatus for detecting Internet traffic messagesthat are recognized as anomalous attacks; a counter for counting theInternet traffic messages that are recognized as the anomalous attacksto provide a count; a second apparatus for computing a running averageof the number of Internet traffic messages that are recognized asanomalous attacks; and a comparator for comparing the count to therunning average and to provide an anomalous attack alarm if the count isgreater than a multiple of the running average.

The anomalous attack alarm is terminated if the count is less than asecond multiple of the running average, wherein the second multiple is asmaller multiple than the first multiple. The running average is updatedusing smoothing, which is preferably exponential smoothing.

The running average is updated no more frequently than at a predefinedinterval, and is set to always be a positive number.

The system can further comprise a database for storing records ofanomalous attacks. The processor can determine whether a record of ananomalous attack has been in the database for a predetermined period oftime, at which time that record is not used in a window to compute therunning average.

The anomalous attacks can comprise at least one of source spoofing anddenial of service attacks, as well as other attacks. The anomalousattacks can be recognized based on indicators including source spoofing,SYN ratio, source IP diversity, IP geolocation diversity and IP addresslist

The disclosure is also directed to a system for monitoring Internettraffic, comprising a processor which performs the steps of detectinganomalous attacks in a network flow; counting a number of Internettraffic messages that are detected as anomalous attacks to provide acount; computing a running average of the number of Internet trafficmessages that are detected as the anomalous attacks; comparing the countto the running average; and providing an anomalous attack alarm if thecount is greater than a multiple of the running average.

The disclosure is further directed to a method for monitoring Internettraffic comprising receiving a network flow and detecting anomalousattacks in the network flow; counting a number of Internet trafficmessages that are detected as anomalous attacks to provide a count;computing a running average of the number of messages that are detectedas anomalous attacks; and comparing the count to the running average toprovide an anomalous attack alarm if the count is greater than amultiple of the running average. The method can further compriseterminating the alarm if the count is less than a second multiple of therunning average, wherein the second multiple is a smaller multiple thanthe multiple of the running average. The method can further compriseupdating the running average using smoothing, which can be exponentialsmoothing.

In accordance with the method, the running average can be updated nomore frequently than at a predefined interval. Further, the runningaverage can be set to be a positive number.

The method can further comprise storing in a database, records ofanomalous attacks, and determining whether a record of an anomalousattack has been in the database for a predetermined period of time, aswell as removing the record from a window used to compute the runningaverage when the record has been in the database for a time greater thanthe predetermined period of time.

In accordance with the method, the anomalous attacks can comprise atleast one of source spoofing and denial of service attacks, as well asother attacks. The anomalous attacks can be recognized based onindicators including source spoofing, SYN ratio, source IP diversity, IPgeolocation diversity and IP address list.

The disclosure is also directed to a computer readable non-transitorystorage medium storing instructions of a computer program which whenexecuted by a computer system results in performance of steps of amethod, comprising receiving a network flow and detecting anomalousattacks in the network flow; counting a number of Internet trafficmessages that are detected as anomalous attacks to provide a count;computing a running average of the number of messages that are detectedas anomalous attacks; and comparing the count to the running average toprovide an anomalous attack alarm if the count is greater than amultiple of the running average.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart of a system operating according to the presentdisclosure

FIG. 2 is a schematic representation of a system architecture accordingto the present disclosure.

FIG. 3 is a schematic representation of the flow record processingaccording to the present disclosure.

FIG. 4 is a flow chart illustrating the operation of the capture daemonsof FIG. 3.

FIG. 5 is an illustration of a computer system used to implement thedisclosed embodiment.

A component or a feature that is common to more than one drawing isindicated with the same reference number in each of the drawings.

DESCRIPTION OF THE EMBODIMENTS

FIG. 1 shows the operation of an embodiment disclosed herein. While thisembodiment is described in relation to the detection of spoofed sourceIP address, it will be understood, as described below, that otheranomalous occurrences may be monitored.

At 101, data about flows from the network (generally in the form ofNetFlow and sFlow records) is sent from existing network monitoringagents. At 102, source spoofing is detected. For each record, the systemdetermines whether the source IP address is spoofed or not. This can bedone, for example, by using source profiles 104 and expected autonomoussystem (AS) sets, as disclosed in Vaidyanathan, R., Ghosh, A., Yuu-HengCheng, Yamada, A. and Miyake, Y., “On the use of BGP AS numbers todetect spoofing.” In 2010 IEEE GLOBECOM Workshops (GC Workshops), pp.1606-1610. Miami, Fla. USA, 2010). However, any method for detectingspoofed IP addresses could potentially be applicable.

At 106, a determination is made as to whether the source address for anitem in the flow was spoofed. If it was not spoofed, then flow returnsto 102. If at 106, it is determined that an item was spoofed, a counteris incremented at 107. The counter records the number of spoofed sourceaddresses seen by the destination subnet within a current interval. Thisinterval is known as the short-term window.

At 108, the system ensures that the running average is updated no morequickly than a defined parameter, the update interval. Typically, theupdate interval is preferably one second. The value can be any positivenumber. It is preferably implemented as a double-precision floatingpoint number. The number is independent of the network being monitored.

At 109, a determination is made as to whether multiple update intervalshave passed. At 110, if multiple update intervals have passed, therunning average is updated for missed intervals using smoothing. Thus,the system updates the average only when a record for the destinationenters or falls out of the short-term window. The system ensures thatwhen a running average that has not been updated in at least one updateinterval is updated, it is first updated with its current value for eachof the missing update intervals. The system ensures that the runningaverage is never set to zero, but is at least a small positive value.The system then continues processing the next record.

At 111, a determination is made as to whether the number of spoofedattacks in the short-term window is larger than a pre-defined multiple X(which is the upper alarm threshold), of a saved running average, wheretypical values for X are, for example only, 1.25, 1.5, 2, and 3. At 112,a determination is made as whether there is a current alarm for thedestination net or subnet. At 114, if there is no current alarm for thedestination subnet, the system posts an alarm to the database, and therecord of the spoof attempt is stored in a database. Flow then returnsto 102. At 116, a determination is made as to whether the number ofspoofed attacks is less than a second pre-defined multiple Y, an upperclear threshold, and whether there is a current alarm for thedestination subnet. Typical values for Y are 1, 1.1, 1.25, where Y isless than or equal to X. While there is latitude in the values chosenfor X and Y, as a practical matter, X and Y are defined as doubleprecision floating values, where for operational reasons, X should begreater than 1.0 and Y must be less than or equal to X. There are nohard rules for determining X and Y. An operator can decide these valuesbased on expected traffic spikes and the number of acceptable falsealarms. While the size of the network may be a factor in the operator'schoice of values, the values are typically chosen to match an intuitivenotion of what would be representative of much greater than averagevariability in the traffic.

At 118, if the number of spoofed attacks is less than the secondpre-defined multiple, and there is a current alarm for the destinationsubnet, then an alarm clear is sent to the database, and the alarm iscleared from the database. At 120, the running average is updated usingsmoothing. Flow returns to 102. If at 116, the number of spoofed attacksis more than the second pre-defined multiple, or there is a no currentalarm for the destination subnet, then flow proceeds directly to 120 toupdate the running average using smoothing, and then on to 102.

At 120, if there is no current alarm for the destination subnet in thedatabase, the system uses the value in the short-term window to updatethe running average, preferably by using single exponential smoothing. Auser-specified value α (between 0 and 1) is selected and updates thelong-term value (L) by multiplying the current short-term value (S) by αand adding it to the product of previous version of L and 1−α. This isrepresented symbolically as: L=S×α+L_(previous)×(1−α). At the start ofoperations the system uses a user-defined value known as the long-termvalue as the initial value of L. The system compares against thelong-term value before the end of the first user-defined interval knownas the “long term duration” even while it updates L. After the long-termduration, the system uses the computed L for comparison. The updateinterval is typically and preferably one second. The value can be anypositive number, and can be implemented as a double-precision floatingpoint number. The number is independent of the network being monitored.

The data entering at 102 can either be new flows from the network or oldflows that have fallen out of the window. For new flows, the counter at107 is incremented. For old (expired) flows the counter is decremented.The alarm processing (steps after 107) is the same for records enteringthe window as it is for those exiting the window.

FIG. 2 illustrates a system in which the disclosed embodiment isimplemented. An Internet Service Provider (ISP) network, shown generallyat 200, contains routers 202 that forward traffic through the network tothe hosts at the network edge. Some of these routers 204 may haveinternal flow agents. Other routers 206 are implemented in conjunctionwith these flow agents 208. Flow agents 208 monitor the network, collectdata (such as IP addresses, port numbers, and amount of traffic), andsend this data to a flow record processor 210. An alarm database 212 anda profile database 214 are associated with flow record processor 210.

Referring to FIG. 3, flow record processor 210 is composed of capturedaemons 302. In one implementation, one capture daemon is used for eachflow agent 206 and 208. The capture daemons 302 convert flow recordsfrom their native form (NetFlow or sFlow records) to a canonical form.Flow record processor 210 also includes a record processing component304, which processes the canonical records as described with respect toFIG. 1.

Referring to FIG. 4, at 101, the capture daemons receive flows in thetarget network 101 by receiving network flow monitoring data at 402 intheir native format. At 403 the flows are converted to a canonicalformat used in the described system. There are capture daemons for sFlowagents and for NetFlow agents. In general, each capture daemon canconvert only one type of record. The capture daemon starts and listensfor incoming records (either sFlow or NetFlow) from an agent configuredto send its records to that capture daemon. Upon receiving a nativerecord, the capture daemon extracts from that record the data necessaryto create a canonical record and creates the canonical record. At 404,the capture daemon then records the canonical record by writing it to afile. At 405, the capture daemon then determines if there are canonicalrecords in its current window that have expired; that is that are olderthan some predetermined threshold. At 406, if there are expired recordsin the file, the capture daemon removes those records from the currentwindow. At 407, the expired canonical records are sent to recordprocessing at 304 (FIG. 3) with a notation that these records haveexpired. At 408, the capture daemon then adds the new canonical recordto the current window. At 409, capture daemon sends a copy to recordprocessing at 304 with a notation that this record is newly entering thewindow. The capture daemon resumes processing incoming native records at402.

The operation of the capture daemons is innovative in that most capturedaemons only save data to a file, so that the records they capture canbe analyzed only periodically when the complete file is written, asopposed to processed in real time by another application, as is the casein the system described herein.

Embodiments of the system and method described herein includeself-adjusting, real-time filtering capabilities. Embodiments of thesystem and method described herein can be used for anomalies other thanspoofed IP addresses such as Denial-of-Service (DoS) attacks. In thecase of denial of service attacks, the running average consists not ofthe number of spoofed IP packets, but either of the total number ofpackets, the number of bytes in the total number of packets or thenumber of flows corresponding to those packets. The processing from 107on is identical.

Other indicators of anomalous IP attacks that can be utilized in thesystem described herein are noted below. The frequency of occurrence ofdifferent events or parameters is monitored by the system.

SYN Ratio Indicator

TCP based applications require the establishment of a connection betweena client and a server using a 3-way handshake protocol. The handshake isinitiated by the client who sends the server a TCP packet with the SYNflag set (aka SYN packet). A successful connection results in theexchange of non-SYN (data) packets over the established connectionbetween the server and clients. A typical bot-based DoS attack sends alarge number of SYN packets to a server. Each SYN packet in the SYNflood results in the allocation of TCP state at the server and a SYN-ACKsent to the client. The attacking bots do not respond to the SYN-ACKthus consuming resources at the server.

The SYN ratio indicator provides an early warning of DoS attacks byconsidering the volume of SYN packets relative to the overall volume ofTCP traffic to a server. A SYN flood attack could be distinguished froma so-called flash crowd because a SYN flood would have a significantlyhigher ratio of SYN packets. The SYN ratio indicator maintains countersof observed SYN and non-SYN traffic within each time window. It alsomaintains long-term rates of observed SYN-traffic to observed non-SYNtraffic across multiple time windows. Rates computed for a given timewindow are compared against the current long-term rate to determinewhether an alert needs to be raised. In case no alert is raised for agiven time window, the computed rate for the time window is used toupdate the long term rate.

Source IP Diversity Indicator

A botnet originated DDoS attack typically uses a large number of bots tooverwhelm a target. In addition, many botnets may also employ randomsource IP address spoofing to hide the location of individual bots. Itis thus possible that during a large scale DDoS attack the number ofunique source IP addresses for a given destination IP may be quite largerelative to normal operations. It may be possible to provide earlywarning of DDoS/RDDoS attacks by considering the number of unique sourceIP addresses observed within a time window for a given destination IPaddress. The source IP diversity Indicator maintains counters ofobserved unique source IP addresses over each time window to allowcomputation of a short term source IP diversity rate for a givendestination. Short term source IP diversity is used in conjunction witha long term source IP diversity rate in a manner similar to the SYNratio Indicator above to determine whether Alerts should be raised.

IP Geolocation Diversity Indicator

DDoS attacks may employ bots located in geographically diverse regions.Therefore it is expected that the number of unique geographical areasfrom which traffic is observed for a destination could be relativelylarge when a DDoS attack is in progress. Given a source IP address, itis possible to obtain a coarse grained measure of its geographicallocation either from a whois server or from the RIR delegated IP addresslists. The IP Geolocation Diversity Indicator maintains a count of theunique geographical locations from where traffic is observed for a givendestination within the current time window. As before, this is comparedagainst a long term rate to determine the presence of geolocationanomalies for the given destination.

IP Address List Indicator

Blacklists containing IP addresses of known malicious traffic sourcesare publicly available from various trusted providers. Typically theselists identify either specific IP addresses or IP address subnets thatare known to originate malicious traffic. The IP Address List Indicatoranalyzes the presence of IP addresses from these lists in observed flowdata. An instance of this Indicator is associated with a particular IPaddress list that is provided as configuration input.

Alert generation and long term rate computation is performed using atime window based analysis approach similar to the one described for theprevious Indicators. In addition to the above, pure volume basedindicators that are computed in terms of packet, byte and flow countsacquired from flow records can be used. As with the previously listedIndicators, these volume-based Indicators compute data volumes per timewindow and maintain long term trends against which to compare per timewindow behavior. For example, large occurrences of the SYN Ratio, SourceIP Diversity and Rate based indicator alerts could indicate theoccurrence of a SYN flood based DDoS attack. Large occurrences of SYNRatio, Spoofed Source and Rate based indicator alerts could indicate thepresence of a spoofed SYN flood attack. Large occurrences of SpoofedSource, Rate based and Source IP Diversity indicators could indicate aDoS attack with random spoofing.

Destination IP Specific

An analyst can filter alerts based on destination IP addresses ordestination IP prefixes of interest in conjunction with some subset ofindicator types. If a certain destination IP is known to be under attackor expected to be attacked, monitoring indicator activity would helpdetermine the nature of the attack and thereby the appropriatemitigation mechanism. Thus a small number of Source IP DiversityIndicator alerts but a large number of Rate based indicator alerts for adestination could indicate that traffic from a small number of sourcesis causing a DDoS. Possible mitigation mechanisms could include socalled blackholing only for selected source addresses.

It is noted that the present disclosure focuses on the use of thedetection instead of the detection mechanism itself. The system andmethod described herein uses the detection of individual spoofedpackets, or other anomalous events, to monitor the security of thedestination subnet. The present disclosure recognizes that spoofdetectors, or other anomalous event detectors, will have some number offalse positives (i.e. they will declare a certain percentage of packetsas spoofed even if they are not). The present disclosure can detect anattack even in the presence of a given percentage of false positivedetections. The present disclosure assumes that there will always be acertain number of anomalous packets detectable in the network. Thisassumption allows the present system to be used on a large-scale networkto detect major attacks on destination subnets.

Thus, the system and method disclosed herein allow an operator to detectan attack to a specific destination subnet of interest instead of justindividual spoofed packets. This is advantageous for a large networkoperator (i.e. Tier I ISP) where the volume of individual spoofedpackets may overwhelm the operator. The attack detection is based on arunning average of network conditions, so it can adjust to gradualchanges in network traffic.

An ISP can use the system and method disclosed herein to monitor its ownnetwork to detect incipient or on-going attacks. An ISP can also use thesystem and method disclosed herein to provide an additional service toits customers to detect incipient or on-going attacks on the customers'network. The system and method are also of use to TCP/IP networkequipment vendors with product for network monitoring.

Referring to FIG. 5, computer system 5400, on which the present methodand system can be implemented, includes a computer 505 coupled to anetwork 520, e.g., the Internet. Computer 505 includes a user interface510, a processor 515, and a memory 525. Computer 505 may be implementedon a general-purpose microcomputer. Although computer 505 is representedherein as a stand-alone device, it is not limited to such, but insteadcan be coupled to other devices (not shown) via network 520.

Processor 515 is configured with logic circuitry that responds to andexecutes instructions. Memory 525 stores data and instructions forcontrolling the operation of processor 515. Memory 525 may beimplemented in a random access memory (RAM), a read only memory (ROM),or a combination thereof. One component of memory 525 is a programmodule 530. Program module 530 contains instructions for controllingprocessor 515 to execute the methods described herein.

The term “module” is used herein to denote a functional operation thatmay be embodied either as a stand-alone component or as an integratedconfiguration of a plurality of sub-ordinate components. Thus, programmodule 530 may be implemented as a single module or as a plurality ofmodules that operate in cooperation with one another. Moreover, althoughprogram module 530 is described herein as being installed in memory 525,and therefore being implemented in software, it could be implemented inany of hardware (e.g., electronic circuitry), firmware, software, or acombination thereof.

User interface 510 includes an input device, such as a keyboard orspeech recognition subsystem, for enabling a user to communicateinformation and command selections to processor 515. User interface 510also includes an output device such as a display or a printer. A cursorcontrol such as a mouse, track-ball, or joy stick, allows the user tomanipulate a cursor on the display for communicating additionalinformation and command selections to processor 515. Processor 515outputs, to user interface 510, a result of an execution of the methodsdescribed herein. Alternatively, processor 515 could direct the outputto a remote device (not shown) via network 520.

While program module 530 is indicated as already loaded in memory 525,it may be configured on a storage medium 535 for subsequent loading intomemory 525. Storage medium 535 can be any conventional storage mediumthat stores program module 530 thereon in tangible form. Examples ofstorage medium 535 include a hard disk drive, a floppy disk, a compactdisk, a magnetic tape, a read only memory, an optical storage media,universal serial bus (USB) flash drive, a digital versatile disc, or azip drive. Alternatively, storage medium 535 can be a random accessmemory, or other type of electronic storage, located on a remote storagesystem and coupled to computer 505 via network 520.

It will be understood that the disclosure may be embodied in a computerreadable non-transitory storage medium storing instructions of acomputer program which when executed by a computer system results inperformance of steps of the method described herein. Such storage mediamay include any of those mentioned in the description above.

The techniques described herein are exemplary, and should not beconstrued as implying any particular limitation on the presentdisclosure. It should be understood that various alternatives,combinations and modifications could be devised by those skilled in theart. For example, steps associated with the processes described hereincan be performed in any order, unless otherwise specified or dictated bythe steps themselves. Further, while the embodiments described hereinhave been implemented by a digital processor running a series ofcomputer instructions, other embodiments may be implemented usingvarious hardware components and circuits. For example, circuits can beused to implement various counters, timers and comparators to implementthe system and method described herein. The present disclosure isintended to embrace all such alternatives, modifications and variancesthat fall within the scope of the appended claims.

The terms “comprises” or “comprising” are to be interpreted asspecifying the presence of the stated features, integers, steps orcomponents, but not precluding the presence of one or more otherfeatures, integers, steps or components or groups thereof.

What is claimed is:
 1. A computer system for monitoring security of adestination subnet, the computer system comprising: a memory; and aprocessor in communications with the memory, wherein the computer systemis configured to perform a method, the method comprising: detecting, bythe processor, Internet traffic messages that are recognized asanomalous attacks; counting by the processor, a number of the Internettraffic messages that are recognized as the anomalous attacks seen by adestination subnet within a current interval to provide a count;computing by the processor, over a plurality of intervals, a runningaverage, wherein the running average comprises an average number ofInternet traffic messages that are recognized as anomalous attacks perinterval of the plurality of intervals; comparing the count to therunning average; based on determining that the count is greater than afirst multiple of the running average, providing an anomalous attackalarm for the destination subnet; and based on determining that thecount is smaller than a second multiple of the running average, checkingthe memory for an anomalous attack alarm for the destination subnet, andclearing any anomalous attack alarm for the subnet located in thememory, wherein the second multiple is a smaller multiple than the firstmultiple.
 2. The system of claim 1, further comprising updating therunning average by smoothing, if the count is below the first multiple.3. The system of claim 1, further comprising: storing records ofanomalous attacks; and determining, by the processor, whether a recordof an anomalous attack has been in the database for a predeterminedperiod of time.
 4. The system of claim 1, wherein the running average isa positive number.
 5. The system of claim 1, wherein each of theanomalous attacks comprises at least one of: source spoofing or denialof service attacks.
 6. The system of claim 1, wherein the runningaverage is updated no more frequently than at a predefined interval. 7.The system of claim 2, wherein the smoothing is exponential smoothing.8. The system of claim 3, wherein the running average is computed in acurrent time window, and when a record has been in the database for atime greater than predetermined period of time, that record is removedfrom the time window for purposes of computing the running average.
 9. Asystem for monitoring Internet traffic, comprising: a memory comprisinga database; and a processor in communications with the memory, whereinthe computer system is configured to perform a method, the methodcomprising: detecting, by the processor, Internet traffic messages asanomalous attacks in a network flow; counting, by the processor, anumber of Internet traffic messages that are detected as anomalousattacks seen by a destination subnet within a current interval toprovide a count; computing, by the processor over a plurality ofintervals, a running average, wherein the running average comprises anaverage number of Internet traffic messages that are detected as theanomalous attacks per interval of the plurality of intervals; comparingthe count to the running average; based on determining that the count isgreater than a first multiple of the running average, sending ananomalous attack alarm for the destination subnet to the database; andbased on determining that count is smaller than a second multiple of therunning average, checking the database for an anomalous attack alarm forthe destination subnet, and based on locating the anomalous attack alarmfor the destination subnet in the database, clearing the locatedanomalous attack alarm for the destination subnet from the database,wherein the second multiple is a smaller multiple than the firstmultiple.
 10. The system of claim 9, further comprising: updating therunning average by smoothing, if the count is a third multiple, whereinthe third multiple is less than the first multiple of the runningaverage.
 11. The system of claim 9, wherein each of the anomalousattacks comprises at least one of source spoofing or denial of serviceattacks.
 12. The system of claim 9, wherein the running average isupdated no more frequently than at a predefined interval.
 13. The systemof claim 9, wherein the running average is a positive number.
 14. Thesystem of claim 10, wherein the smoothing is exponential smoothing. 15.The system of claim 10, wherein the detecting further comprises storingrecords in the database for Internet traffic message as anomalousattacks in the network flow.
 16. The system of claim 15, furthercomprising: determining, by the processor, that a record of the recordsin the database has been in the database for a predetermined period oftime and based on the determining, removing, by the processor, therecord from a window used to compute the running average.
 17. A methodfor monitoring Internet traffic comprising: obtaining, by a processor, anetwork flow and detecting anomalous attacks in the network flow;counting, by the processor, a number of Internet traffic messages in thenetwork flow that are detected as anomalous attacks seen by adestination subnet within a current interval and providing a count;computing, by the processor, over a plurality of intervals, a runningaverage, wherein the running average comprises an average number ofmessages that are detected as anomalous attacks per interval of theplurality of intervals; comparing the count to the running average;based on determining that the count is greater than a first multiple ofthe running average, providing an anomalous attack alarm for thedestination subnet; and based on determining that the count is smallerthan a second multiple of the running average, checking the memory foran anomalous attack alarm for the destination subnet, and clearing anyanomalous attack alarm for the subnet located in the memory, wherein thesecond multiple is a smaller multiple than the first multiple.
 18. Themethod of claim 17, wherein if the count is a less than the firstmultiple of the running average, updating the running average usingsmoothing.
 19. The method of claim 17, wherein the running average isupdated no more frequently than at a predefined interval.
 20. The methodof claim 17, further comprising setting the running average to be apositive number.
 21. The method of claim 17, further comprising: storingin a database records of anomalous attacks, and determining whether arecord of an anomalous attack has been in the database for apredetermined period of time.
 22. The method of claim 17, wherein eachof the anomalous attacks comprises at least one of: source spoofing ordenial of service attacks.
 23. The method of claim 18, wherein thesmoothing is exponential smoothing.
 24. The method of claim 21, furthercomprising removing a record from a window used to compute the runningaverage when the record has been in the database for a time greater thanthe predetermined period of time.
 25. A computer readable non-transitorystorage medium storing instructions of a computer program which whenexecuted by a computer system results in performance of a method,comprising: obtaining, by a processor, a network flow and detectinganomalous attacks in the network flow; counting, by the processor, anumber of Internet traffic messages in the network flow that aredetected as anomalous attacks seen by a destination subnet within acurrent interval and providing a count; computing, by the processor,over a plurality of intervals, a running average, wherein the runningaverage comprises an average number of messages that are detected asanomalous attacks per interval of the plurality of intervals; comparingthe count to the running average; based on determining that the count isgreater than a first multiple of the running average, providing ananomalous attack alarm for the destination subnet; and based ondetermining that the count is smaller than a second multiple of therunning average, checking the memory for an anomalous attack alarm forthe destination subnet, and clearing any anomalous attack alarm for thesubnet located in the memory, wherein the second multiple is a smallermultiple than the first multiple.
 26. The computer readablenon-transitory storage medium of claim 25, wherein each of the anomalousattacks comprises at least one of: source spoofing or denial of serviceattacks.